We discussed the basic principles for the use of HiJackThis in yesterday's article. In this article we will go deeper by directly interpreting the HiJackThis Logs. If you do not have any idea of what those logs mean, this article will get you started. Of course, this will not fix all issues pertaining to malware, but it will give you a good head start on your education.
Assuming you have installed HiJackThis in your computer, turn on System Restore. Now, with an anti-virus installed, we are ready to interpret and fix malware issues using HiJackThis.
However, note that correcting problems using HiJackThis is considered risky. So take the precautions described in yesterday's article, "Introduction to HiJackThis for Windows XP."
HJT Process Analysis
Analyzing HJT (Hijackthis) logs can be broken down into two sub-steps. The first is what I call "process analysis" and the second is called "HJT group code analysis."
A critical security breach, such as those involving Trojan exploits, can be mostly detected in the process analysis step. These tend to disguise themselves as reputable Windows XP processes (with the .exe extension).
In the HJT group code analysis, we get into analyzing browser help objects (BHO), registry entries and running Windows services. Most spyware/malware and browser hijackers can be detected in this group.
Okay, let's start with process analysis. Say that we have this simple log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:44 PM, on 9/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
A Trojan/malware process does not reside in the correct or intended path, and can be detected by scanners. It is a red flag if the process path is not using its standard path as defined by the community and its vendors. Trojans will not overwrite this legitimate file, because if they do, it will cause a system malfunction. To analyze those .EXE/processes, refer to the flow chart below:
By first using this tool, we will get the default/standard process path of the file under analysis. Then we compare it to the installed path as reported by HJT, to see if it's the same. If it is, then the process or file is clean.
If it is not, we will scan it manually (one file at a time) using http://virusscan.jotti.org/ or http://www.virustotal.com/ and see the results of those top scanners. Alternatively, one of the best free malware detection tools for confirmation is Malwarebytes Anti-Malware, which you can download for free. Install it in your computer, and then right click on the file and choose "Scan with Malwarebytes Anti-Malware." If it is indeed a Trojan/malware, we will remove it using HJT or the anti-malware software.
If the file is not infected as reported by the scanning system provided above, it is clean and the file is installed in a path that is different from the default. This happens in other configurations when the process exists in different paths. Relying solely on file or process paths can result in false positives.
KEITHLEE2/home/servers/www.devhardware.com/www/zdeconfigurator/configs/INFUSIONSOFT_OVERLAY.php/home/servers/www.devhardware.com/www/zdeconfigurator/configs/ OFFLOADING INFUSIONSOFTLOADING INFUSIONSOFT 1debug:overlay status: OFF overlay not displayed overlay cookie defined: TI_CAMPAIGN_1012_D OVERLAY COOKIE set: status off
